Role in IT decision-making process:Align Business & IT GoalsCreate IT StrategyDetermine IT NeedsManage Vendor RelationshipsEvaluate/Specify Brands or VendorsOther RoleAuthorize PurchasesNot Involved

Work Phone:

Company:

Company Size:

Industry:

Street Address

City:

Zip/postal code

State/Province:

Country:

Occasionally, we send subscribers special offers from select partners. Would you like to receive these special partner offers via e-mail?YesNo

Your registration with Eweek will include the following free email newsletter(s):News & Views

By submitting your wireless number, you agree that eWEEK, its related properties, and vendor partners providing content you view may contact you using contact center technology. Your consent is not required to view content or use site features.

By clicking on the "Register" button below, I agree that I have carefully read the Terms of Service and the Privacy Policy and I agree to be legally bound by all such terms.

Domain Theft is Still a Little Too Easy

Several years after the infamous Sex.com case, it's still possible to rip off a domain name using technologies that date to the Carter administration. Why are the registrars so unwilling to talk about it?

WEBINAR:On-Demand

Do you ever get spam offering to sell you fake IDs? Heres one reason why some people want to buy one: a fake ID, a fax machine, and an absence of morals are all thats needed to hijack any domain name.

Yes, stealing a domain name from its rightful owners still appears to be childs play. A reader contacted me about his case involving the domain name DVDMovies.com. Several weeks ago Arnold Jones of Visionario Inc., a storage consulting firm and owner of dvdmovies.com, discovered that this domain had been transferred to someone else.

This person had sent in to Network Solutions, the registrar holding the registry of dvdmovies.com, a request by fax to change the e-mail contacts on the registration to a free yahoo.com address. Even though his identification information had been forged, including a copy of a fake Florida drivers license with Joness work address on it, Network Solutions happily obliged and did not scrutinize the license.

Once the e-mail contact had been changed, the domain pirate simply sent a request to reset the password on the account, and he replied from the new address. Now that he had control over the account, he could transfer the registration to another registrar.

The fake Florida drivers license lacked all the major characteristics of a legitimate Florida drivers license.

Jones required two weeks of time and effort before he got his domain back. If he was less sophisticated about these matters, it might have taken him much longer to take control of the domain. To compensate him for the two weeks of time and the lack of his domain, Network Solutions extended his registration by a year, a $35 value. Gosh, I hope he declares this on his taxes.

Neither Network Solutions nor the registrar to whom the pirate moved the domain, Domain Name Systems, Inc., would provide any information about the hijacker, and Domain Name Systems had actually received payment from him. They told Jones that they would only release the information pursuant to a court order.

Theres actually a famous case just like this, the Sex.com case. This is a pretty strategic domain name for some people, as you can imagine. and it was owned by one Gary Kremen, who must have thought about such things often enough that he registered the domain name before anyone else. Stephen Cohen, a convicted felon straight out of the big house, duped Network Solutions (remember them?) into transferring the domain to him by using a transfer letter with a forged signature and a number of fake supporting documents.

Most of the attention to legal issues with domain names have to do with violations of trademarks, like some stranger registering Exxon.com before Exxon though to do it. There is an administrative process for dispute resolution available through the Internet Corporation for Assigned Names and Numbers, the body which oversees domain issues, called the uniform dispute resolution process. However, this is a very different issue than the hijacking of domain names.

I contacted Network Solutions to ask them about Mr. Joness case in particular and about domain theft generally. They declined to talk to me about any aspect of the story, including generic guidelines for people to follow in order to deal with or avoid domain theft.

Here are some of the specific questions that Network Solutions declined to answer:

When Network Solutions discovers a fraudulent attempt to change registrant information, does it pass the information on to the proper authorities?

What does Network Solutions do to prevent someone from hijacking a domain via fax?

What advice does Network Solutions have for customers trying to protect themselves?

Given the history and the recent problems, these arent abstract or absurd questions. I dont know about you, but Id think twice about doing business with a company that wont answer questions like this. Of course, everyone with a .com domain has to do business with Network Solutions, at least indirectly. But at least we have a choice.

Sad to say, Network Solutions refusal to talk to me was more communication than I got out of any other domain registration business. I tried to get in touch with the two companies with which I have registered domains, Register.com and GoDaddy. (To be truthful, just the other day I transferred my only GoDaddy domain to Register.com, so I dont really have any business anymore at GoDaddy.)

I couldnt get through to anyone at GoDaddy who would talk to the press on the subject. All Register.com would say is that they take measures to prevent theft, but they cant discuss the measures for security purposes. (Perhaps they could tell me, but then theyd have to kill me.)

Getting back to the generic issue of what we can do to protect ourselves, Jones said you cant do it alone. Once he convinced Network Solutions that they had been scammed, he sent them a copy of his own ID with instructions that they only make transfers when the ID matched it, and he recommends everyone do the same. Sounds like a good idea, if your registrar will listen to you and accept such a directive in advance.

I have run into domain registrations, such as stealthisdomain.com,) that include mention of how the domain is "protected." I havent been able to determine what this means, but I presume that it involves some sort of enhanced authentication before any transfer can take place.

There is also at least one service, Domains By Proxy, which creates an indirection in the registration. The whois database contains no information about you, just about Domains By Proxy. You can tell Domains By Proxy to forward e-mail sent to the contact information for the domain, or you can have them bounce it. Since domain registration contact info is a major source of addresses for spammers, this also helps to keep your Inbox clean. And anyone who wants to make changes in the registration information will first have to convince Domains By Proxy.

There are two problems with the Domains By Proxy service: they cost $9 a year per domain, which seems like a lot for the amount of work they do. And they only work with GoDaddy registrations, or so it appears from their site. I wanted to learn more about them, such as whether they would be available for other registrars. Heres the punch line: they didnt return my phone calls.

Discuss This in the eWEEK Forum

Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.

By submitting your information, you agree that eweek.com may send you eWEEK offers via email, phone and text message, as well as email offers about other products and services that eWEEK believes may be of interest to you. eWEEK will process your information in accordance with the Quinstreet Privacy Policy.

We ran into a problem

We already have your email address on file. Please use the "Forgot your password?" link to create a password, validate your email and login.